Here's a followup of sorts --each hijacking being unique-- to the "What If You Gmail Account Was Stolen" of a month+ ago. [ blogoscoped.com/forum/114364.html]
<b>EXECUTIVE PROCRASTINATOR SUMMARY</b>:
![[put at-character here]](image/at.gif) 1. Guy runs a web-based graphic design business;
2. Guy visits a rogue web site while simultaneously being logged in to Gmail;
3. Rogue Hacker surreptitiously inserts a pop-forward and/or redirect-then-delete filter into Guy's Gmail account that reacts to a future domain Registrar's confirmation email message(s);
4. Guy announces in blog post he'll be away on vacation for a month, therefore warns readers to expect a "quiet period";
5. couple of weeks later Guy finds out Rogue Hacker managed redirect, ergo hijack his domain to another registrar, and now holds him to ransom; illustrated details within.
EXECUTIVE-CLASS COMMENT: Guy's post-title below somewhat exaggerated, since it wasn't Gmail's failure as such --his password hasn't been compromised, and no mail has been lost-- but the Rogue Hacker's ability to do some nasty to a BETA piece of software. Anyhow, this particular hole apparently has since been plugged, but there'll always be new ones.... it's a rats' race between Googlers and Baddies with the objective of.... I dunno... who gets to mate first with Sergey and/or Larry?
Ian
"WARNING: Google's GMail security failure leaves my business sabotaged"
http://www.davidairey.co.uk/index.php
[item found on Digg, where it appeared yesterday with a different uri leading to a blind "302 Moved Permanently" http-redirect.] |
He failed the golden rule of Internet – "not to click on any links that are contained in E-mail from persons they don’t know." [ raynhampd.com/internet_safety.htm] |
And as I far as I know GMail isn't in beta, is it?
I think you are in risk always if you use internet, I mean... gmail, yahoo mail, hotmail, ... every service is vulnerable at some point! |
Haochi: actually, I suppose he could've gotten the plague just by _visiting_ an innocent website WHILE logged in (or _formerly_ innocent, ie. misused by the rogue third party), without clicking any links there, or opening unknown attachments. Observe the WHILE part: surely this would not have happened had he used 2 different webagents/browsers to keep the Gmail and the web-access workspaces apart.
Zim: you're among the top posters here --a site evoted to all thinggies Google-- person-rank this and that, and you're unaware of the BETA signifier part of Gmail logo? Makes one wonder.... |
Oops, I misunderstood the circumstance, but people, use NoScript for the sake of security! |
I have never had this problem with Yahoo mail. |
Not to sound too alarmist in our perfect-storm-in-a-teacup drama, you "never had this problem" (with Yahoo, or whatever, mail/app), but then you hardly know what other/ hitherto-undisclosed/ undiagnosed/ open-holey problems you might or might not have fortwith. It's never a given.
There are criminals out there, and they're evolving alongside defense techniques all the time. Ultimately Yahoo's not more hacker-safe than any other major service.
Personally I draw the line at (and am constantly amazed by the numbers of people partaking in) online banking, where there are real risks for major damage, and not mainly by any "immediate withdrawals" (which the banking institutions SO FAR compensate for), but in future, well-prepared and executed attacks in one's name, esp. against innocent fourth parties (=say the rogues invest your stolen money in penny stocks, which then go up, and, before anybody reacts, the untraceable rogues sell off their holdings at a profit, while "you" are holding the bag, so to speak). Point? |
Thanks for picking up on my story.
I do admit that there was a certain degree of naivety in my actions, but it appears that publishing my story has opened a lot of people's eyes to just how vulnerable their online security is.
Granted also, that my post title is somewhat of an exaggeration, but I think it's helped me to get the story linked to by the New York Times.
All the best for this Christmas, and for 2008.
Kind regards. |
No need to apologize, David, we're all virgins when victimised ;-))
All the same, I'd expect some kind of follow-up from you, esp. published responses to requests to Yahoo, registrars, etc., of their customer being your blackmailer. Take your time (and signal here). Also that so-called escrow service shouldn't escape untouched....
In a sense it's a pity you haven't negotiatied a bit with the low-life, if only to create some computer-trail for the police, Google, and/or your ISP to investigate.
The problem of botnet-based crime, as yours undoubtedly was, is not insolvable in itself. Only, long as there are not enough legit claims of wronged parties against known or unknown perps, or not enough wrongdoing equals tax-base loss, to warrant government action, there's not enough incentive for our, in computer terms truly reptilian, legal/ juridical practices to change/ adapt/ redefine the paradigms.
Someone has to write a "broadband/ AJAX/ Web 2.0"-equivalent of Clifford Stoll's "The Cuckoo's Egg" [tracing a foreign spy through the maze of computer networks]. Still in print, but oh-so-dated in these times of flood of digital commodities.... |
Be sure that I'll publish a follow-up, and here's hoping it tells a more positive tale.
Bye for now. |
